[00:00.000 --> 00:07.440]  X-Force Red. I'm here to talk to you all about a fantastic chain of vulnerabilities that leads to
[00:07.440 --> 00:13.640]  domain admin. I call this Printers to Domain Admin. So, first off, what we're going to be
[00:13.640 --> 00:19.620]  exploiting is this wonderful feature that Tifkin from SpectreOps discovered called the MSRPRN
[00:19.620 --> 00:27.460]  Print Spoolerbug. Basically what it does is it's a feature to have a domain controller tell a
[00:27.460 --> 00:34.280]  client where its printers are. Now, any user can request this packet to be sent to them.
[00:34.500 --> 00:40.780]  And what it can also do is try and force authentication. Now, if the client says,
[00:40.780 --> 00:45.180]  hey, I only support NTLM version 1, and the domain controller is trying to authenticate to them,
[00:45.180 --> 00:50.600]  it will authenticate using its machine account. That machine account can then be reversed from
[00:50.600 --> 00:57.480]  NTLM version 1 to NTLM. And once reversed to NTLM, we can create a silver ticket
[00:58.380 --> 01:03.940]  and then DC sync the server. So, with that, let's begin. The first thing we're going to need to do
[01:03.940 --> 01:09.200]  is find out the domain SID of the machine we're going to attack. Now, we're going to specify that
[01:09.200 --> 01:16.120]  we start off with domain user credentials. And so, we are already a regular domain user. We
[01:16.120 --> 01:20.000]  would have gotten this through Responder, some other method, or being a legit user on the network.
[01:20.560 --> 01:32.940]  So, we'll run enum for Linux on 192.168.1.3 on my mog.local domain. Now, we're going to see a
[01:32.940 --> 01:39.300]  whole bunch of stuff. So, we have to scroll up, and we're going to see the domain SID
[01:39.300 --> 01:44.640]  is right here. This is the security identifier for the domain,
[01:44.640 --> 01:49.600]  and it did not require any credentials to pull. So, we're going to go export SID equals
[01:50.080 --> 01:55.500]  domain. And quotes, even though these aren't required, I put them around just out of my own
[01:55.500 --> 02:02.640]  safety sake because I've been burned once or twice. So, we now have the SID. Fantastic.
[02:03.040 --> 02:07.480]  Next thing we're going to need is we're going to need to go use our credentials on the net
[02:07.480 --> 02:19.960]  NTLM server ticket repo with a tool called Dementor. So, we're now in the repo. So,
[02:19.960 --> 02:25.160]  we're going to go dot slash our Python Dementor dot py.
[02:27.420 --> 02:32.980]  Help. So, in order to use Dementor, we need a domain username, which is going to be
[02:33.820 --> 02:41.880]  evilmog. We need a password. In this case, password is password with an exclamation mark.
[02:42.320 --> 02:47.800]  Yes, this is a demo. Yes, it's junk. I'm okay with this. Now, we're going to use a domain.
[02:47.800 --> 02:53.740]  evilmog. Next thing we're going to do is go into another window. We're going to set up
[02:53.740 --> 03:04.160]  Responder. So, Responder interface of eth0. Yeah, let's go with that.
[03:06.320 --> 03:10.520]  And now we're going to fire over to Dementor and fire off the authentication back at us.
[03:10.780 --> 03:17.780]  Next thing we're going to need is the listener IP. So,
[03:18.960 --> 03:23.300]  $attacker IP. I pre-exported mine because I can't remember what it was.
[03:23.580 --> 03:31.730]  And we're going to go with the target IP. It's going to send the attack. We're seeing access
[03:31.730 --> 03:39.390]  denied. Here, we'll see an NTLM version 1 SSP hash. Now, we'll see I attempted to go set this
[03:39.390 --> 03:48.910]  as 112233455667788 for the client challenge, but it zeroed out these. I could have specified
[03:48.910 --> 03:54.150]  $attack LM and it would have gotten me a better result. But in this case, I wanted to demonstrate
[03:54.150 --> 03:59.430]  NTLM version 1 with SSP on video because it's fun. So, we're going to copy this.
[04:01.170 --> 04:04.570]  I'm now going to go into my NTLM version 1 multi-tool.
[04:07.930 --> 04:15.090]  Python ntlmv1.py. We're going to specify NTLM and our hash.
[04:16.670 --> 04:21.610]  Now, if you want to use crack.sh and pay $200, you absolutely can. The other option is we're going
[04:21.610 --> 04:27.250]  to do this with hashcat. Now, this will normally take you about three to five days with anywhere
[04:27.250 --> 04:34.150]  from 16 to 32 GPUs, or cost you about $1,000 in AWS time. I haven't timed this up for a while,
[04:34.150 --> 04:40.570]  so my numbers might be inaccurate. But on 16 GTX 1080s, it takes about four days, five.
[04:40.790 --> 04:44.910]  So, what we're going to do is we're going to copy this. We're going to copy the 14,000 hash.
[04:45.090 --> 04:51.030]  It's already ready to go into hashcat. We're going to go into my hashcat directory, paste that.
[04:52.670 --> 04:57.290]  Just make sure it's a fresh file, nothing in my slave.
[04:58.630 --> 05:02.790]  Now, we're going to take the command it told us to crack it with hashcat,
[05:02.790 --> 05:07.710]  telling us to use mode 14,000, attack mode 3, which is a brute force,
[05:07.710 --> 05:13.230]  using the DES character set, and our attack type. I'll already do it for you.
[05:13.770 --> 05:17.370]  Now, because I have a time machine, it's going to crack instantly.
[05:22.650 --> 05:27.270]  Perfect. See, it's already cracked instantly. So, let's go show these hashes right now.
[05:29.010 --> 05:34.230]  So, here we have the portion of the NTLM, but it's actually being returned as a DES key.
[05:34.450 --> 05:42.570]  We need to convert these DES keys into a portion of an NTLM. So, we're going to go to git.
[05:42.570 --> 05:51.830]  We're going to throw up my hashcat, utils, src, and we're going to want the DES key to NTLM
[05:52.490 --> 06:07.800]  portion. So, here is part one. We are then going to do part two.
[06:08.180 --> 06:18.760]  Back over here, part two. Now, the most important part, we're also going to have to calculate
[06:18.760 --> 06:27.680]  the last four characters of the NTLM. Again, there's already a hashcat utility for that. So,
[06:27.680 --> 06:35.880]  we're going to go into git slash hashcat, utils, src, and then we are going to use a profile
[06:38.460 --> 06:48.720]  CT3 to NTLM. But it already tells us that, because we do the paste,
[06:49.460 --> 06:59.100]  and there we are. We have our NTLM. So, the NTLM is going to be part one, part two,
[07:00.220 --> 07:11.560]  part three. Fantastic. So, now we're going back into our handy-dandy utility.
[07:13.820 --> 07:22.730]  Export NTLM equals. Now, to prove there's nothing up my sleeve on this one, crack map exec
[07:24.030 --> 07:34.630]  SMB 192.168.1.3. Username is going to be DC1$, because that means it's a machine account.
[07:34.630 --> 07:44.690]  We're going to use the hash of $NTLM. And there we are. We've authenticated as the domain
[07:44.690 --> 08:03.780]  machine account. Now, we're going to do a grep. There we are. So, we're going to run ticketer.
[08:03.860 --> 08:07.980]  Now, this command is a little bit complex. So, first we're going to run Python. We're
[08:07.980 --> 08:13.000]  going to select where our ticketer location is. We're going to use the NTLM hash, which we'll
[08:13.000 --> 08:19.160]  see here is 1D. Matches right up with what we have here ending in 904C. So, there's your NTLM
[08:19.160 --> 08:23.830]  hash for the machine account. There is the domain SID that we captured earlier,
[08:25.380 --> 08:31.660]  that is this S121 here using enum for Linux. The domain name here is mog.local. Now, the important
[08:31.660 --> 08:38.880]  part is the SPN. SPN is a service principle name. So, in this case, we know it's a machine.
[08:38.880 --> 08:44.620]  So, we know it's DC1. We know it's in mog.local. All domain controllers by default will or should
[08:44.620 --> 08:51.540]  in most cases have a host slash DC or a host slash for their SPN. So, we can guess that this
[08:51.540 --> 08:58.420]  machine's SPN or look at it in Bloodhound, but in this case, we guessed host slash DC1.mog.local.
[08:58.420 --> 09:03.120]  And then the administrator, guessing it's administrator, probably is. A lot of people
[09:03.120 --> 09:07.660]  change it, but that is how we create our silver ticket. Now, I'm going to hit enter.
[09:08.480 --> 09:15.020]  It's going to create this Kerberos cache file for you. Now, you need to go run an export. So,
[09:15.020 --> 09:25.780]  because I keep forgetting the syntax, history, grep export, grep ccache, head dash n1.
[09:25.880 --> 09:40.340]  There we go. Export. So, we've specified here's where our cache file is. Now, we're to proceed
[09:40.340 --> 09:54.980]  to SecretsDump, the domain controller. grep SecretsDump, grep .k, head dash n1.
[09:56.880 --> 10:06.010]  Now, there we go. So, we're going to run SecretsDump.
[10:06.890 --> 10:11.710]  The syntax for this one is going to be, you know, Python 3 SecretsDump.
[10:11.710 --> 10:18.050]  Dash k means use Kerberos. Tack no, tack pass means don't ask for a password. We're to specify
[10:18.050 --> 10:24.750]  mog at domain mog administrator at dc1 at mog.local. And we're going to dc sync the...
[10:35.310 --> 10:39.730]  Interesting. This happens. Let's go take a look.
[10:48.060 --> 10:54.100]  There we go. We just used the right tool. So, we've used our... So, the syntax for this one
[10:54.100 --> 11:00.800]  was Python running SecretsDump. Our target was administrator at dc1.mog.local.
[11:01.080 --> 11:06.840]  Dash k was use Kerberos. Tack no, tack pass was don't ask for us for the password. And here we
[11:06.840 --> 11:13.920]  see our administrator hash, our guest hash, and our machine account, which we just finished
[11:13.920 --> 11:21.650]  extracting. So, that is how you silver ticket a domain controller and dc sync it with just a
[11:21.650 --> 11:27.430]  regular domain user. Now, for mitigations on this, what you're going to wind up doing is
[11:27.430 --> 11:35.070]  there's a setting called the landman compatibility level. I'll include a link to it in the slides
[11:35.070 --> 11:42.610]  for this. There's a setting set for two or lower, which basically means allow NTLM.
[11:42.930 --> 11:46.930]  That's what... If you increase that setting to five, that will completely block this. The other
[11:46.930 --> 11:51.230]  mitigations are disable the print spooler service on any sensitive servers, such as domain
[11:51.230 --> 11:57.490]  controllers. Now, this will cause an impact on some environments, as clients will no longer be
[11:57.490 --> 12:00.950]  able to update their printer list, but hopefully you have a better way of pushing printers, such
[12:00.950 --> 12:07.050]  as SCCM. So, that is the one downside, but it will prevent domain controllers from reaching out.
[12:07.130 --> 12:13.850]  This works up until server 2016. I have not seen it work in server 2019, and it, again,
[12:13.850 --> 12:18.370]  depends on your landman compatibility level. Thank you very much for tuning in.
[12:18.370 --> 12:22.170]  This has been Evil Mog from X-Force Red and Team Hashcat.
